b'       SOFTWARE MANAGEMENT\n\n                    EXECUTIVE SUMMARY\nUnder a task order with the Office of Inspector General, Jefferson Wells reviewed the\nCommission\xe2\x80\x99s software management. Our review found that some controls and best\npractices have been established, including a configuration management function and\nthe tracking of some software. We commend the Commission for these actions.\nThe Commission\xe2\x80\x99s controls need to be improved to meet accepted criteria (the\nCapability Maturity Model), and to be in full compliance with applicable laws and\nregulations. Our testing found numerous instances of unapproved software on\nCommission computers and file servers. We are recommending that the Office of\nInformation Technology assign responsibility and improve processes for software\nmanagement.\n\n\n\n                  SCOPE AND OBJECTIVES\nOur objective was to assess internal controls for software management. We also\nassessed the extent of compliance with applicable laws, regulations, and best\npractices.\n\nDuring the review, we interviewed and surveyed Office of Information Technology\n(OIT) and other Commission staff; reviewed relevant documentation and\nregulations, including software licensing agreements; and performed tests of\ninternal controls over software on desktops, laptops, and servers at Commission\nheadquarters, the Operations Center, and the Annex. We used an automated tool to\nhelp perform our tests (Tally Systems\xe2\x80\x99 TS.Census License Compliance Suite).\n\n\n                            BACKGROUND\nExecutive Order 13103, issued September 30, 1998, provides guidance on software\nmanagement by federal agencies. The Order seeks to ensure that agencies and\nrecipients of Federal funds comply with copyright law.\nAppendix A contains the text of the Executive Order and other detailed information\non applicable laws, regulations, and best practices for managing software.\n\x0c                                                                                  Page 2\n\n\nThe Office of Information Technology (OIT) has primary responsibility for overseeing\nthe Commission\xe2\x80\x99s information technology program, including software management.\nTechnology issues involving user offices are reviewed by the Information Officers\xe2\x80\x99\nCouncil, which consists of senior staff from those offices. Appendix B contains\ndetailed information on the Commission\xe2\x80\x99s organizational structure for software\nmanagement.\n\nUser software is normally distributed from network servers to user desktops\nthrough the use of Active Directory, a software management tool. Access to the\ninstallation servers is restricted to administrators.\n\nIf a problem occurs with the Active Directory distribution, an administrator loads\nthe application manually, using the vendor CD. Server software is either\ndownloaded from the vendor, or installed manually from a vendor CD.\n\nThe Configuration Management and Quality Assurance Branch (CM/QA) maintains\na library of desktop and network software. Other branches within OIT and user\noffices also keep copies of some software.\n\nThe Commission does not maintain formal documentation on software upgrades and\nchange requests. The responsible Commission contractor indicated that changes are\nrequested by emails and discussed at meetings.\n\nLicense tracking is not centralized in the Commission. License information may be\nmaintained in either an electronic file or hard copy, depending on the software and\nthe organization involved.\n\nAppendix C provides background on a five stage Capability Maturity Model (CMM),\nwhich can be useful in assessing an organization\xe2\x80\x99s processes for information\ntechnology (IT) management, including software.\n\n\n                           AUDIT RESULTS\nWe found that some controls and best practices have been established for software\nmanagement, including a configuration management function and the tracking of\nsome software. The Commission\xe2\x80\x99s controls need to be improved to meet accepted\ncriteria (the Capability Maturity Model), and to be in full compliance with applicable\nlaws and regulations. Our testing found numerous instances of unapproved\nsoftware on Commission computers and file servers.\nOur detailed findings and recommendations are presented below, organized into the\nfollowing categories: policy guidance; controls; record keeping; inventories; training;\ncontractors; and performance measures.\n\n\n\n\n    Software Management (Audit 393)                                 March 24, 2005\n\x0c                                                                                              Page 3\n\n\n\n\nPOLICY GUIDANCE\n\nThe Commission has not yet issued a written policy that assigns specific\nresponsibilities for software management. To help ensure effective software\nmanagement and compliance with regulations, a written policy needs to be\ndeveloped.1\n\n          Recommendation A\n          OIT should issue a written policy on software management that assigns\n          responsibilities for ensuring compliance with laws, regulations, and best\n          practices.\n\n\nCONTROLS\n\nAutomated Tools\n\nOIT indicated that it has recently installed an automated tool to catalog all\nCommission desktop, laptop, and server computers. It can further improve software\ncontrols by installing additional specialized software (such as snapshot, network,\nand PC tools). This software can image and map Commission computers and the\nnetwork, and track licensing requirements for software.\n\n\n          Recommendation B\n          OIT should install automated software management tools.\n\nUser Privileges\n\nCurrently, user privileges are not audited to help ensure that users are restricted\nfrom downloading or installing executable code or other installation packages and\nsoftware. Granting users privileges beyond what they require for their jobs could\nlead to security risks or noncompliance with software licensing requirements.\n\n          Recommendation C\n          OIT should audit user privileges and eliminate unnecessary access rights.\n          The need for shared passwords should be evaluated.\n\n\n\n\n1\n    OIT indicated that it has developed an IT Policy Governance Framework that monitors the\n    development and review of all IT-related policies.\n\n       Software Management (Audit 393)                                          March 24, 2005\n\x0c                                                                                 Page 4\n\n\nSoftware License auditing\n\nOIT does not currently audit compliance with software licenses through tests of\nCommission computers. As part of this audit, we conducted an audit of software\nlicenses using an automated tool (TS.Census).\n\nThe audit covered over 2700 Commission desktop and laptop computers, or\napproximately 90% of the computers in headquarters and the Operations Center.\nWe also manually inspected the primary Commission server (on which applications\nare tested before installation on other servers) and gathered limited information\nfrom other servers. We provided OIT with a detailed description of our testing and\nresults.\n\nWe found a total of 853 installed applications on Commission desktop and laptop\ncomputers. Of this total, 523 were not on the OIT-approved software list. In\naddition, we could not find licenses for 111 applications, based on purchase and\nother records.\n\nOf the applications that were not approved, at least 30 were Freeware, and 28\napplications could be considered suspicious or potentially malicious. A total of 13\napplications appeared to exceed the threshold for licenses, which could make the\nCommission liable for additional costs or subject to legal action. We also found a\ntotal of 604 applications on Commission servers that could not be identified as\napproved.\n\n\n        Recommendation D\n       OIT should evaluate our test results and take appropriate action, as\n       resources permit, to ensure that only approved software is installed on\n       Commission computers. It should consider periodically performing audits\n       similar to ours.\n\nManual controls\n\nThe responsibility for software management is distributed throughout the\nCommission. Thus, the adequacy of controls may vary. For example, physical\nsecurity appears effective in the test lab, which is locked and maintains installation\nmedia in a locked cabinet. License records for back-up media management are also\nwell controlled. However, we found many instances of software installation CDs\nbeing left in unsecured workspaces in the Operations Center Annex.\n\nDuring our review, OIT conducted no audits of hardware. The Asset Management\nBranch within OIT has recently taken over this responsibility.\n\nAs stated in the Background, OIT does not maintain documentation on software\nupgrades and change requests after the basic foundation has been installed. Also,\nlicense tracking is not centralized and standardized.\n\n\n\n    Software Management (Audit 393)                                 March 24, 2005\n\x0c                                                                                 Page 5\n\n\nFinally, OIT currently does not have written procedures governing software disposal\nor a disposal checklist.\n\n\n       Recommendation E\n       OIT should enhance manual controls for software management (covering\n       physical security of software; hardware audits; tracking of software licenses,\n       purchases, distribution, and change requests; and software disposal\n       procedures, among other issues).\n\nPreventive controls\n\nAt the time of the audit, OIT did not make projections for anticipated user growth,\nwhich would assist planning for future software purchases. OIT indicated that it\nhas now begun making such projections.\n\nOIT does not produce management reports on compliance with software licenses.\nOIT records hardware disposal and storage, but does not have standard procedures\nfor these activities.\n\n       Recommendation F\n       OIT should implement preventive controls for software management (such as\n       user growth projections, management reporting on compliance with software\n       licenses, and hardware disposal procedures).\n\n\nRECORD KEEPING\nOIT does not have written policies and procedures for record keeping that\nadequately manage the approval, use, and safekeeping of software (including UNIX,\nbackup media, Windows, and other desktop software) and software licenses. Written\nprocedures would help ensure that license thresholds are not exceeded, license\ncertifications are available for review, and record keeping is centralized, timely,\neffective and secure.\n\n       Recommendation G\n       OIT should develop written policies and procedures for record keeping to\n       adequately manage the approval, use, and safekeeping of Commission\n       software and licenses.\n\n\nINVENTORIES\nOIT does not currently perform inventories of software on Commission computers to\nensure compliance with software licensing agreements and copyright laws. The\nAsset Management Branch within OIT has recently been assigned responsibility for\nhardware and software inventories.\n\n\n\n    Software Management (Audit 393)                                March 24, 2005\n\x0c                                                                                   Page 6\n\n\nThe Commission numbers hardware with a bar-code system and has users sign a\nform for all computer exchanges. However, significant hardware changes have\noccurred recently, including the upgrade of most laptops and a number of servers.\n\n       Recommendation H\n       OIT should perform periodic physical inventories of tracked software\n       installations and hardware, and follow-up as appropriate.\n\n\nTRAINING\nCommission and contractor staff are required to take an on-line course in security\nand copyright law. The training does not reference specific Commission policies or\nprocedures, and is not tailored to specific groups (e.g., administrators, contractors).\nAs of July 2004, 94% of the target audience of approximately 4500 staff had taken\nthe course. A total of 261 staff had not started the course and 28 had only partially\ncompleted it (90 of these are contractors).\nBased on our survey of 40 Commission staff (including IT Specialists, OIT Liaisons,\nand members of the Information Officers\xe2\x80\x99 Council), awareness and understanding of\nCommission software policies can be improved.\nUsers with administrator rights need more detailed guidance and training than\nother users, tailored to their job responsibilities. Currently, specialized guidance\nand training is not provided to these users. This training could cover copyright\nprotection for software; troubleshooting and security procedures; and detection and\nreporting of inappropriate activities on computers.\n\nSimilarly, contractor staff would benefit from additional training, given OIT\xe2\x80\x99s\nextensive use of contractors to perform sensitive duties (for example, purchasing and\nhandling of software).\n\n       Recommendation I\n       OIT should ensure that all staff and contractors receive and are evaluated on\n       the required training in security and copyright law. OIT should also consider\n       developing specialized training for certain users (such as administrators and\n       contractors).\n\n\nCONTRACTORS\nCommission contractors are not following the same procedures for software\npurchasing, installation, storage, and license monitoring. Also, procedures for\ndistributing software and computers to contractor staff have not been developed.\nConsistent procedures for contractors would help provide better software\nmanagement.\n\n\n\n\n    Software Management (Audit 393)                                  March 24, 2005\n\x0c                                                                               Page 7\n\n\n      Recommendation J\n      OIT should develop procedures applicable to contractor acquisition and\n      management of Commission software and hardware.\n\n\nPERFORMANCE MEASURES\nOIT has not developed performance measures for reporting of software licensing\ninformation to senior OIT management and appropriate follow-up. These measures\nwould help enhance software management.\n\n      Recommendation K\n      OIT should develop reports for senior OIT management that contain\n      performance measures for monitoring and follow-up on software licensing\n      information.\n\n      At a minimum, the performance measures should include a count of current\n      licenses versus the number of installed products; periodic reporting on when\n      software licenses will expire; projected growth areas; and software products\n      being proposed, tested, or evaluated.\n\n\n\n\n    Software Management (Audit 393)                              March 24, 2005\n\x0c'